Change log : xorg-server package : Debian

2:21.1.13-2

Published in sid-release on 2024-08-29

xorg-server (2:21.1.13-2) unstable; urgency=medium

  * patches: Fix i386 build with gcc-14.

 -- Timo Aaltonen <email address hidden>  Thu, 29 Aug 2024 15:54:05 +0300

2:21.1.13-1

Superseded in sid-release on 2024-08-29

xorg-server (2:21.1.13-1) unstable; urgency=medium

  * New upstream release.
  * Update signing-key.asc.
  * Add upstream metadata, drop old git url from d/watch.
  * control: Migrate to pkgconf.
  * control: Substitute libgl1-mesa-dev build-dep to libglvnd-dev.

 -- Timo Aaltonen <email address hidden>  Thu, 29 Aug 2024 15:18:01 +0300

2:1.20.11-1+deb11u13

Published in bullseye-release on 2024-06-29

xorg-server (2:1.20.11-1+deb11u13) bullseye-security; urgency=high

  * render: Avoid possible double-free in ProcRenderAddGlyphs()

 -- Julien Cristau <email address hidden>  Wed, 10 Apr 2024 10:59:35 +0200

2:21.1.7-3+deb12u7

Published in bookworm-release on 2024-06-29

Published in sid-release on 2024-06-29

xorg-server (2:21.1.7-3+deb12u7) bookworm-security; urgency=high

  * render: Avoid possible double-free in ProcRenderAddGlyphs()

 -- Julien Cristau <email address hidden>  Wed, 10 Apr 2024 11:02:46 +0200

2:21.1.12-1

Superseded in sid-release on 2024-08-29

xorg-server (2:21.1.12-1) unstable; urgency=medium

  * New upstream release.
  * render: Avoid possible double-free in ProcRenderAddGlyphs()
    (closes: #1068470)

 -- Julien Cristau <email address hidden>  Wed, 10 Apr 2024 10:44:55 +0200

2:21.1.11-3

Superseded in sid-release on 2024-04-10

xorg-server (2:21.1.11-3) unstable; urgency=high

  [ Chris Hofstaedtler ]
  * Use udev.pc to place udev files (Closes: #1057945)

  [ Julien Cristau ]
  * Pull from upstream server-21.1-branch:
    - hw/xfree86: fix NULL pointer refrence to mode name
    - Initialize Mode->name in xf86CVTMode()
    - Allow disabling byte-swapped clients
    - Xext: SProcSyncCreateFence needs to swap drawable id too
    - Xi: ProcXIGetSelectedEvents needs to use unswapped length to send
      reply (CVE-2024-31080)
    - Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send
      reply (CVE-2024-31081)
    - Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to
      send reply (CVE-2024-31082)
    - render: fix refcounting of glyphs during ProcRenderAddGlyphs
      (CVE-2024-31083)
  * dix-Fix-use-after-free-in-input-device-shutdown.patch: drop (already
    cherry-picked).

 -- Julien Cristau <email address hidden>  Wed, 03 Apr 2024 21:09:12 +0200

2:1.20.11-1+deb11u11

Superseded in bullseye-release on 2024-06-29

xorg-server (2:1.20.11-1+deb11u11) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Xi: require a pointer and keyboard device for XIAttachToMaster
  * dix: allocate enough space for logical button maps (CVE-2023-6816)
  * dix: Allocate sufficient xEvents for our DeviceStateNotify (CVE-2024-0229)
  * dix: fix DeviceStateNotify event calculation (CVE-2024-0229)
  * Xi: when creating a new ButtonClass, set the number of buttons
    (CVE-2024-0229)
  * Xi: flush hierarchy events after adding/removing master devices
    (CVE-2024-21885)
  * Xi: do not keep linked list pointer during recursion (CVE-2024-21886)
  * dix: when disabling a master, float disabled slaved devices too
    (CVE-2024-21886)
  * ephyr,xwayland: Use the proper private key for cursor
  * glx: Call XACE hooks on the GLX buffer
  * dix: Fix use after free in input device shutdown

 -- Salvatore Bonaccorso <email address hidden>  Mon, 22 Jan 2024 07:21:42 +0100

2:21.1.7-3+deb12u5

Superseded in sid-release on 2024-06-29

Superseded in bookworm-release on 2024-06-29

xorg-server (2:21.1.7-3+deb12u5) bookworm-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Xi: require a pointer and keyboard device for XIAttachToMaster
  * dix: allocate enough space for logical button maps (CVE-2023-6816)
  * dix: Allocate sufficient xEvents for our DeviceStateNotify (CVE-2024-0229)
  * dix: fix DeviceStateNotify event calculation (CVE-2024-0229)
  * Xi: when creating a new ButtonClass, set the number of buttons
    (CVE-2024-0229)
  * Xi: flush hierarchy events after adding/removing master devices
    (CVE-2024-21885)
  * Xi: do not keep linked list pointer during recursion (CVE-2024-21886)
  * dix: when disabling a master, float disabled slaved devices too
    (CVE-2024-21886)
  * ephyr,xwayland: Use the proper private key for cursor
  * glx: Call XACE hooks on the GLX buffer
  * dix: Fix use after free in input device shutdown

 -- Salvatore Bonaccorso <email address hidden>  Mon, 22 Jan 2024 07:19:15 +0100

2:21.1.11-2

Superseded in sid-release on 2024-04-04

xorg-server (2:21.1.11-2) unstable; urgency=medium

  [ Salvatore Bonaccorso ]
  * dix: Fix use after free in input device shutdown (Closes: #1061110)

 -- Julien Cristau <email address hidden>  Mon, 22 Jan 2024 13:17:07 +0100

2:21.1.11-1

Superseded in sid-release on 2024-01-22

xorg-server (2:21.1.11-1) unstable; urgency=medium

  * New upstream release, fixes:
    - CVE-2023-6816
    - CVE-2024-0229
    - CVE-2024-21885
    - CVE-2024-21886
    - CVE-2024-0408
    - CVE-2024-0409

 -- Julien Cristau <email address hidden>  Tue, 16 Jan 2024 15:33:53 +0100

2:21.1.10-1

Superseded in sid-release on 2024-01-17

xorg-server (2:21.1.10-1) unstable; urgency=medium

  [ Emilio Pozuelo Monfort ]
  * Fix build on hurd-amd64. Thanks Samuel Thibault. (Closes: #1055412)

  [ Timo Aaltonen ]
  * New upstream release.
    - CVE-2023-6377
    - CVE-2023-6478

 -- Timo Aaltonen <email address hidden>  Wed, 13 Dec 2023 09:51:20 +0200

2:21.1.7-3+deb12u2

Superseded in bookworm-release on 2024-02-10

Superseded in sid-release on 2024-02-10

xorg-server (2:21.1.7-3+deb12u2) bookworm-security; urgency=high

  * 0003-mi-fix-CloseScreen-initialization-order.patch,
    0004-fb-properly-wrap-unwrap-CloseScreen.patch: drop, causes other
    bugs that are worse than CVE-2023-5574.

 -- Julien Cristau <email address hidden>  Wed, 25 Oct 2023 09:35:47 +0200

2:21.1.9-1

Superseded in sid-release on 2023-12-20

xorg-server (2:21.1.9-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2023-5367
    - CVE-2023-5380
    - CVE-2023-5574

 -- Timo Aaltonen <email address hidden>  Wed, 25 Oct 2023 10:43:00 +0300

2:21.1.8-1

Superseded in sid-release on 2023-10-30

xorg-server (2:21.1.8-1) unstable; urgency=medium

  * patches: Drop an obsolete patch. (Closes: #1034413)
  * New upstream release.

 -- Timo Aaltonen <email address hidden>  Tue, 01 Aug 2023 12:26:02 +0300

2:21.1.7-3

Superseded in bookworm-release on 2023-12-09

Superseded in sid-release on 2023-12-09

xorg-server (2:21.1.7-3) unstable; urgency=medium

  * Enable DRI2 for the udeb build, needed in addition to DRM support
    since 9c81b8f5b5 to build the modesetting driver. This fixes failures
    to start X in the graphical installer under UTM (Closes: #1035014).
    Thanks to Keith Toh for the report and the follow-up tests!

 -- Cyril Brulebois <email address hidden>  Wed, 03 May 2023 03:41:41 +0200

2:1.20.11-1+deb11u6

Superseded in bullseye-release on 2024-02-10

xorg-server (2:1.20.11-1+deb11u6) bullseye-security; urgency=high

  * composite: Fix use-after-free of the COW (CVE-2023-1393)

 -- Julien Cristau <email address hidden>  Thu, 23 Mar 2023 11:25:56 +0100

2:21.1.7-2

Superseded in sid-release on 2023-05-16

xorg-server (2:21.1.7-2) unstable; urgency=high

  * composite: Fix use-after-free of the COW
    ZDI-CAN-19866/CVE-2023-1393

 -- Julien Cristau <email address hidden>  Wed, 29 Mar 2023 15:11:07 +0200

2:21.1.7-1

Superseded in sid-release on 2023-04-29

xorg-server (2:21.1.7-1) unstable; urgency=medium

  * New upstream release
    + Xi: fix potential use-after-free in DeepCopyPointerClasses
      (CVE-2023-0494, closes: #1030777)

 -- Julien Cristau <email address hidden>  Tue, 07 Feb 2023 14:15:45 +0100

2:21.1.6-1

Superseded in sid-release on 2023-02-17

xorg-server (2:21.1.6-1) unstable; urgency=medium

  * New upstream release.
  * patches: Drop upstreamed patches.
  * Add signing-key from Olivier Fourdan.

 -- Timo Aaltonen <email address hidden>  Thu, 05 Jan 2023 16:02:46 +0200

2:1.20.11-1+deb11u3

Superseded in bullseye-release on 2023-04-29

xorg-server (2:1.20.11-1+deb11u3) bullseye-security; urgency=medium

  * xkb: proof GetCountedString against request length attacks (CVE-2022-3550)
  * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551)

 -- Emilio Pozuelo Monfort <email address hidden>  Fri, 11 Nov 2022 13:37:52 +0100

2:21.1.5-1

Superseded in sid-release on 2023-01-07

xorg-server (2:21.1.5-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343,
      CVE-2022-46344, CVE-2022-46283
  * Add signing-key from Peter Hutterer.

 -- Timo Aaltonen <email address hidden>  Wed, 14 Dec 2022 11:10:24 +0200

2:21.1.4-3

Superseded in sid-release on 2022-12-14

xorg-server (2:21.1.4-3) unstable; urgency=medium

  * xkb: proof GetCountedString against request length attacks (CVE-2022-3550)
  * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551)

 -- Emilio Pozuelo Monfort <email address hidden>  Fri, 11 Nov 2022 13:35:13 +0100

2:21.1.4-2

Superseded in sid-release on 2022-11-12

xorg-server (2:21.1.4-2) unstable; urgency=medium

  * 001_fedora_extramodes.patch: Dropped, apparently obsolete since
    1.5.0. (LP: #1990456)

 -- Timo Aaltonen <email address hidden>  Thu, 22 Sep 2022 08:53:59 +0300

2:1.20.11-1+deb11u2

Superseded in bullseye-release on 2022-12-17

Superseded in sid-release on 2022-10-11

xorg-server (2:1.20.11-1+deb11u2) bullseye-security; urgency=medium

  * xkb: add request length validation for XkbSetGeometry (CVE-2022-2319)
  * xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck (CVE-2022-2320)
  * Closes: #1014903.

 -- Emilio Pozuelo Monfort <email address hidden>  Fri, 05 Aug 2022 10:00:36 +0200

2:21.1.4-1

Superseded in sid-release on 2023-02-19

xorg-server (2:21.1.4-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2022-2319, CVE-2022-2320 (Closes: #1014903)

 -- Timo Aaltonen <email address hidden>  Mon, 25 Jul 2022 12:46:43 +0300

2:1.20.4-1+deb10u4

Published in buster-release on 2022-03-26

xorg-server (2:1.20.4-1+deb10u4) buster-security; urgency=high

  * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
  * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
  * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
  * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]

 -- Julien Cristau <email address hidden>  Sat, 18 Dec 2021 10:05:36 +0100

2:1.20.11-1+deb11u1

Superseded in bullseye-release on 2022-09-10

Superseded in sid-release on 2022-09-10

xorg-server (2:1.20.11-1+deb11u1) bullseye-security; urgency=high

  * Team upload.
  * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
  * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
  * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
  * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]

 -- Julien Cristau <email address hidden>  Thu, 16 Dec 2021 18:08:23 +0100

2:21.1.3-2

Superseded in sid-release on 2022-07-26

xorg-server (2:21.1.3-2) unstable; urgency=medium

  * present-Check-for-NULL-to-prevent-crash.patch: Fix a crash with
    nvidia 495.

 -- Timo Aaltonen <email address hidden>  Wed, 09 Feb 2022 12:19:09 +0200

2:1.20.14-1

Superseded in sid-release on 2022-02-09

xorg-server (2:1.20.14-1) unstable; urgency=medium

  * New upstream release.

 -- Timo Aaltonen <email address hidden>  Tue, 11 Jan 2022 16:21:08 +0200

2:21.1.3-1

Deleted in experimental-release (Reason: None provided.)

xorg-server (2:21.1.3-1) experimental; urgency=medium

  * New upstream release.

 -- Timo Aaltonen <email address hidden>  Mon, 10 Jan 2022 17:54:12 +0200

2:1.20.13-3

Superseded in sid-release on 2022-01-12

xorg-server (2:1.20.13-3) unstable; urgency=high

  * Team upload.
  * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
  * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
  * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
  * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]

 -- Julien Cristau <email address hidden>  Tue, 14 Dec 2021 14:38:21 +0100

2:1.20.13-2

Superseded in sid-release on 2021-12-14

xorg-server (2:1.20.13-2) unstable; urgency=medium

  * Upload to unstable.
  * Disable building xwayland.

 -- Timo Aaltonen <email address hidden>  Sat, 27 Nov 2021 13:03:35 +0200

2:21.1.1-2

Superseded in experimental-release on 2022-01-10

xorg-server (2:21.1.1-2) experimental; urgency=medium

  * Fix serverminver.
  * control: Add libxcvt-dev to xserver-xorg-dev depends.

 -- Timo Aaltonen <email address hidden>  Sat, 27 Nov 2021 11:18:56 +0200

2:21.1.1-1

Superseded in experimental-release on 2021-12-05

xorg-server (2:21.1.1-1) experimental; urgency=medium

  * New upstream release.
  * 04_compiler_h_inb_outb_mips.diff: Dropped, upstream.
  * Xwayland is dropped from this souce, don't try to build it.
  * Xdmx is gone, drop it from the build.
  * serverminver: Bump versions.
  * control: Bump x11proto-dev and libx1-dev depends.
  * control: Add libxcvt-dev to build-depends, xcvt to -core Recommends.
  * control: Bump libdrm-dev build-depends.
  * Update signing-key.asc.

 -- Timo Aaltonen <email address hidden>  Wed, 17 Nov 2021 16:31:46 +0200

2:1.20.13-1

Superseded in experimental-release on 2021-12-17

xorg-server (2:1.20.13-1) experimental; urgency=medium

  * New upstream release.

 -- Timo Aaltonen <email address hidden>  Tue, 10 Aug 2021 12:27:00 +0300

2:1.20.4-1+deb10u3

Superseded in buster-release on 2022-03-26

xorg-server (2:1.20.4-1+deb10u3) buster-security; urgency=high

  * Fix XChangeFeedbackControl() request underflow (CVE-2021-3472)

 -- Julien Cristau <email address hidden>  Mon, 19 Apr 2021 11:34:38 +0200

2:1.20.11-1

Superseded in bullseye-release on 2022-03-26

Superseded in sid-release on 2022-03-26

xorg-server (2:1.20.11-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2021-3472
  * Add signing key for Matt Turner.

 -- Timo Aaltonen <email address hidden>  Tue, 13 Apr 2021 19:07:31 +0300

2:1.20.10-3

Superseded in sid-release on 2021-06-10

Superseded in sid-release on 2021-04-13

xorg-server (2:1.20.10-3) unstable; urgency=medium

  [ Julien Cristau ]
  * Drop workaround for mips* FTBFS added in 2:1.20.10-1, shouldn't be
    necessary anymore with the change in 2:1.20.10-2.

  [ Sven Joachim ]
  * Recommend default-logind | logind rather than libpam-systemd in
    xserver-xorg-core (Closes: #923198).
  * Use mktemp rather than tempfile in xserver-xorg-legacy.postinst
    (Closes: #979751).
  * Use dpkg-vendor to get the vendor name, drop lsb-release from
    Build-Depends.

   [ Vagrant Cascadian ]
  * Avoid embedding the running kernel version (Closes: #976898).

 -- Timo Aaltonen <email address hidden>  Wed, 17 Feb 2021 11:17:43 +0200

2:1.20.4-1+deb10u2

Superseded in buster-release on 2021-06-19

Superseded in sid-release on 2021-06-19

xorg-server (2:1.20.4-1+deb10u2) buster-security; urgency=medium

  * CVE-2020-14360 CVE-2020-25712

 -- Moritz Mühlenhoff <email address hidden>  Tue, 01 Dec 2020 18:59:57 +0100

2:1.20.10-2

Superseded in sid-release on 2021-02-17

xorg-server (2:1.20.10-2) unstable; urgency=medium

  * Stop defining inb/outb on mips, to fix FTBFS in some drivers with GCC 10
    (closes: #978670).

 -- Julien Cristau <email address hidden>  Wed, 06 Jan 2021 10:33:33 +0100

2:1.20.10-1

Superseded in sid-release on 2021-01-06

xorg-server (2:1.20.10-1) unstable; urgency=medium

  [ Timo Aaltonen ]
  * New upstream release.
    - CVE-2020-14360, CVE-2020-25712 (Closes: #976216)
  * Drop patches:
    - 0001-Revert-*: Reverted upstream in this version
    - revert-hw-xfree86-avoid-cursor-use-after-free.diff: Issue fixed in this version
    - revert-disabling-xss-for-rootless-xwayland.diff: Was resolved upstream as
      being a client bug
  * control: Add libnvidia-egl-wayland-dev to build-depends, enables
    EGLStream support in xwayland.

  [ Adrian Bunk ]
  * rules: Add a workaround to fix build on mips*. (Closes: #975579)

 -- Timo Aaltonen <email address hidden>  Wed, 02 Dec 2020 12:41:35 +0200

2:1.20.9-2

Superseded in sid-release on 2020-12-02

xorg-server (2:1.20.9-2) unstable; urgency=medium

  * fix-pci-probing-segfault.diff: Dropped and revert three commits
    instead. (Closes: #969739)

 -- Timo Aaltonen <email address hidden>  Thu, 24 Sep 2020 12:19:06 +0300

2:1.20.4-1+deb10u1

Superseded in buster-release on 2021-02-06

Superseded in sid-release on 2021-02-05

xorg-server (2:1.20.4-1+deb10u1) buster-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix for ZDI-11426 (CVE-2020-14347) (Closes: #968986)
  * Correct bounds checking in XkbSetNames() (CVE-2020-14345)
  * Fix XIChangeHierarchy() integer underflow (CVE-2020-14346)
  * Fix XkbSelectEvents() integer underflow (CVE-2020-14361)
  * Fix XRecordRegisterClients() Integer underflow (CVE-2020-14362)

 -- Salvatore Bonaccorso <email address hidden>  Thu, 27 Aug 2020 10:51:48 +0200

2:1.20.9-1

Superseded in sid-release on 2020-09-24

xorg-server (2:1.20.9-1) unstable; urgency=medium

  * New upstream release.
    - CVE-2020-14347 (Closes: #968986)
  * fix-pci-probing-segfault.diff: Fix a regression in 1.20.9 when
    probing the GPU.
  * revert-hw-xfree86-avoid-cursor-use-after-free.diff: Revert a commit
    which is causing server crashes.
  * revert-disabling-xss-for-rootless-xwayland.diff: Fix a regression
    where apps crash under Xwayland.

 -- Timo Aaltonen <email address hidden>  Mon, 31 Aug 2020 18:49:48 +0300

2:1.20.8-2

Superseded in sid-release on 2021-04-16

Superseded in sid-release on 2020-12-02

xorg-server (2:1.20.8-2) unstable; urgency=medium

  * rules: Exclude udeb/ from indep dh_missing. (Closes: #955399)

 -- Timo Aaltonen <email address hidden>  Tue, 31 Mar 2020 13:14:40 +0300

2:1.20.8-1

Superseded in sid-release on 2020-04-01

xorg-server (2:1.20.8-1) unstable; urgency=medium

  * New upstream release.
  * patches: Dropped patches applied upstream:
    - fix-modesetting-build.diff
    - add-EGL_QUERY_DRIVER-check.diff
    - fix-rotate-crash.diff
  * control: Use debhelper-compat, bump to 12.
  * rules: Migrate to dh_missing.

 -- Timo Aaltonen <email address hidden>  Mon, 30 Mar 2020 15:48:38 +0300

2:1.20.7-4

Superseded in sid-release on 2020-12-02

xorg-server (2:1.20.7-4) unstable; urgency=medium

  [ Jordan Justen ]
  * add-EGL_QUERY_DRIVER-check.diff: Add missing change from upstream
    to fix glamor getting the driver name from EGL.

 -- Timo Aaltonen <email address hidden>  Sat, 29 Feb 2020 07:05:06 +0200

2:1.20.7-3

Superseded in sid-release on 2020-02-29

xorg-server (2:1.20.7-3) unstable; urgency=medium

  * fix-rotate-crash.diff: Fix a crash if rotation is set on xorg.conf.
    (Closes: #949257)

 -- Timo Aaltonen <email address hidden>  Wed, 05 Feb 2020 18:27:36 +0200

2:1.20.7-2

Superseded in sid-release on 2020-02-06

xorg-server (2:1.20.7-2) unstable; urgency=medium

  * add-EGL_QUERY_DRIVER-check.diff: Add a check for EGL_QUERY_DRIVER to
    autotools.

 -- Timo Aaltonen <email address hidden>  Tue, 14 Jan 2020 12:13:49 +0200

2:1.20.6-1

Superseded in sid-release on 2020-01-15

xorg-server (2:1.20.6-1) unstable; urgency=medium

  [ Sven Joachim ]
  * Remove the explicit build and build-indep targets (Closes: #941128).
  * Exclude the directory where xorg-server.tar.xz is built from it
    (Closes: #930405).
  * Make the xorg-server-source binary package reproducible by specifying
    suitable options to tar when creating /tmp/xorg-server.tar.xz.
  * Set Rules-Requires-Root to binary-targets.
  * Drop dependency on dummy package libegl1-mesa (Closes: #930608).
  * Remove no longer used lintian overrides from version 2:1.11.2.901-1.
  * Bump debhelper compat level to 11.
    - Drop autoreconf and --parallel from the dh sequence, default since
      compat level 10.  Remove dh-autoreconf from Build-Depends, redundant.
  * Drop dpkg-dev build dependency, already fulfilled in wheezy.
  * Add xz-utils to Build-Depends-Indep.
  * Fix a typo in the xvfb-run manpage.

  [ Timo Aaltonen ]
  * New upstream release.
  * Add signing key from Matt Turner.

 -- Timo Aaltonen <email address hidden>  Mon, 25 Nov 2019 11:49:09 +0200

2:1.20.4-1

Superseded in buster-release on 2020-09-26

Superseded in sid-release on 2020-09-23

xorg-server (2:1.20.4-1) unstable; urgency=medium

  [ Timo Aaltonen ]
  * New upstream release.
    - present/wnmd: Fix use after free on CRTC removal
      (Closes: #920665).
    - xwayland: Replace xwl_window::present_window with
      ::present_flipped (Closes: #921734).

  [ Andreas Boll ]
  * Refresh 07_use-modesetting-driver-by-default-on-GeForce.diff.

 -- Andreas Boll <email address hidden>  Tue, 05 Mar 2019 21:11:12 +0100

2:1.19.2-1+deb9u5

Superseded in buster-release on 2019-03-11

Superseded in sid-release on 2019-03-05

Published in stretch-release on 2018-11-10

xorg-server (2:1.19.2-1+deb9u5) stretch; urgency=medium

  * Cherry-pick c2954b16c (glx: do not pick sRGB config for 32-bit RGBA
    visual) from upstream. Fixes various blending issues with kwin and
    Mesa >= 18.0 (i.e. Mesa from stretch-backports) (Closes: #908601).
    Thanks to Nicholas D Steeves and Robert Trebula for testing!

 -- Andreas Boll <email address hidden>  Wed, 31 Oct 2018 17:58:03 +0100

2:1.20.3-1

Superseded in buster-release on 2019-07-03

Superseded in sid-release on 2019-07-03

xorg-server (2:1.20.3-1) unstable; urgency=medium

  * New upstream release.
    - Disables -logfile and -modulepath when running with elevated
      privileges (CVE-2018-14665).

 -- Andreas Boll <email address hidden>  Thu, 25 Oct 2018 20:15:23 +0200

2:1.20.2-1

Superseded in sid-release on 2018-10-26

xorg-server (2:1.20.2-1) unstable; urgency=medium

  * New upstream release.
    - Fixes various crashes with xwayland (Closes: #777625, #881891,
      #911146).
    - Fixes a crash when running the X server inside virtualbox
      (Closes: #911680).
  * Drop 08_dont-init-glamor-on-llvmpipe.diff, upstream.
  * Set source format to 1.0.

 -- Andreas Boll <email address hidden>  Thu, 25 Oct 2018 10:19:31 +0200

2:1.20.1-5

Superseded in buster-release on 2018-10-31

Superseded in sid-release on 2018-10-25

xorg-server (2:1.20.1-5) unstable; urgency=medium

  [ Timo Aaltonen ]
  * 08_dont-init-glamor-on-llvmpipe.diff: Glamor shouldn't be used on
    llvmpipe, as it might end up crashing the server on a racy bootup.
    (LP: #1792932) (Closes: #907655, #910135)

 -- Andreas Boll <email address hidden>  Wed, 10 Oct 2018 18:23:15 +0200

2:1.20.1-4

Superseded in buster-release on 2018-10-16

Superseded in sid-release on 2018-10-11

xorg-server (2:1.20.1-4) unstable; urgency=medium

  [ Julien Cristau ]
  * Disable libunwind in udeb build.
  * Disable libunwind backtraces on mips to work around bug#909242.  Thanks,
    Simon McVittie!

 -- Timo Aaltonen <email address hidden>  Wed, 26 Sep 2018 13:20:47 +0300

2:1.20.1-3

Superseded in sid-release on 2018-09-26

xorg-server (2:1.20.1-3) unstable; urgency=medium

  * xvfb-run*: Update default resolution and bitdepth to match upstream
    defaults.
  * Limit libunwind to archs that actually have it. (Closes: #909240)

 -- Timo Aaltonen <email address hidden>  Thu, 20 Sep 2018 11:26:11 +0300

2:1.20.1-2

Superseded in sid-release on 2018-09-20

xorg-server (2:1.20.1-2) unstable; urgency=medium

  * control, rules: Use libunwind for backtracing.
  * 07_use-modesetting-driver-by-default-on-GeForce.diff: Add a patch from
    Fedora to use modesetting on NVIDIA GeForce8 and newer.

 -- Timo Aaltonen <email address hidden>  Tue, 18 Sep 2018 17:27:28 +0300

2:1.20.1-1

Superseded in buster-release on 2018-10-01

Superseded in sid-release on 2019-06-04

xorg-server (2:1.20.1-1) unstable; urgency=medium

  [ Julien Cristau ]
  * xvfb-run portability improvements by Eli Schwartz (thanks!):
    + Fix use of deprecated tempfile utility
    + Use builtin `case` to test variable value, rather than external `expr`
    + Use "command -v" rather than "which" (closes: #889676)

  [ Sven Joachim ]
  * Depend on x11proto-dev rather than on the transitional x11proto-*-dev
    packages in xserver-xorg-dev (Closes: #900125).
  * Remove remaining x11proto-*-dev packages from Build-Depends.

  [ Andreas Boll ]
  * New upstream release.
    - exa: Use PictureMatchFormat for source-only picture format
      description (Closes: #900550).
    - modesetting: use drmmode_bo_import() for rotate_fb
      (Closes: #906034, #900658).
  * Drop 07_fix_glamor_fds_from_pixmap.diff, upstream.

 -- Andreas Boll <email address hidden>  Fri, 17 Aug 2018 22:05:00 +0200

2:1.20.0-3

Superseded in buster-release on 2018-08-23

Superseded in sid-release on 2018-08-18

xorg-server (2:1.20.0-3) unstable; urgency=medium

  [ Timo Aaltonen ]
  * control: Add Breaks on libgl1-mesa-dri older than 18.0.5.

  [ Mike Hommey ]
  * 07_fix_glamor_fds_from_pixmap.diff: Apply 3da999a and 4d5950c from
    upstream to fix an infinite loop in XWayland. Closes: #901883.

 -- Timo Aaltonen <email address hidden>  Sun, 01 Jul 2018 20:07:24 +0300

2:1.20.0-2

Superseded in sid-release on 2018-07-08

xorg-server (2:1.20.0-2) unstable; urgency=medium

  * Bump some minimum (build) dependencies.
  * Release to unstable.

 -- Emilio Pozuelo Monfort <email address hidden>  Thu, 24 May 2018 18:23:27 +0200

2:1.20.0-1

Deleted in experimental-release (Reason: None provided.)

xorg-server (2:1.20.0-1) experimental; urgency=medium

  [ Timo Aaltonen ]
  * New upstream release candidate. (Closes: #868843)

  [ Emilio Pozuelo Monfort ]
  * New upstream stable release.
  * Update Vcs-* for salsa.

 -- Emilio Pozuelo Monfort <email address hidden>  Sat, 19 May 2018 15:04:00 +0200

2:1.19.99.901-1

Superseded in experimental-release on 2018-05-20

xorg-server (2:1.19.99.901-1) experimental; urgency=medium

  * New upstream release candidate.
  * control: Replace old proto build-deps with x11proto-dev.
  * patches: Refreshed, drop 07 which is upstream.
  * serverminver: Updated.
  * rules: Override dh_clean, and remove cruft left over after a build.

 -- Timo Aaltonen <email address hidden>  Fri, 23 Mar 2018 18:18:38 +0200

2:1.19.6-1

Superseded in sid-release on 2018-12-06

Superseded in buster-release on 2018-12-07

Superseded in sid-release on 2018-05-25

xorg-server (2:1.19.6-1) unstable; urgency=medium

  [ Emilio Pozuelo Monfort ]
  * Use --sourcedir=debian/tmp/udeb for the udeb package and
    --sourcedir=debian/tmp/main for the rest, so that we don't have
    to specify where the files come from as well as where they should
    be installed to in *.install.
  * Install xorg-server.pc to a multiarch location. Based on a patch
    from Helmut Grohne. Closes: #836453.
  * Move xserver-xorg-legacy to priority optional, as priority extra is
    deprecated.
  * Make calculation of xserver-xorg-core's xinput/video ABI provides more
    robust.
  * Use ${prefix} rather than ${libexecdir} for --with-module-dir, as the
    module dir ends up in the pkg-config file, where libexecdir is not
    defined.

  [ Timo Aaltonen ]
  * New upstream release.
  * 07-glx-do-not-pick-srgb-config-for-32bit-rgba-visual.diff: Add a
    patch from upstream to fix potential issues with mesa git.

 -- Timo Aaltonen <email address hidden>  Thu, 18 Jan 2018 14:11:18 +0200

2:1.16.4-1+deb8u2

Published in jessie-release on 2017-12-09

xorg-server (2:1.16.4-1+deb8u2) jessie-security; urgency=high

  * render: Fix out of boundary heap access
  * Xext/shm: Validate shmseg resource id (CVE-2017-13721)
  * xkb: Escape non-printable characters correctly.
  * xkb: Handle xkb formated string output safely (CVE-2017-13723)
  * os: Make sure big requests have sufficient length.
  * Unvalidated lengths in
    - XFree86-VidModeExtension (CVE-2017-12180)
    - XFree86-DGA (CVE-2017-12181)
    - XFree86-DRI (CVE-2017-12182)
    - XFIXES (CVE-2017-12183)
    - XINERAMA (CVE-2017-12184)
    - MIT-SCREEN-SAVER (CVE-2017-12185)
    - X-Resource (CVE-2017-12186)
    - RENDER (CVE-2017-12187)
  * Xi: Test exact size of XIBarrierReleasePointer
  * Xi: integer overflow and unvalidated length in
    (S)ProcXIBarrierReleasePointer (CVE-2017-12179)
  * Xi: Silence some tautological warnings
  * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
  * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
  * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
  * Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES (CVE-2017-2624)
  * Xwayland: enable access control and default to just the local user (CVE-2015-3164)

 -- Julien Cristau <email address hidden>  Sat, 14 Oct 2017 12:35:36 +0200

2:1.19.2-1+deb9u2

Superseded in buster-release on 2018-11-16

Superseded in stretch-release on 2018-11-10

Superseded in sid-release on 2018-11-10

xorg-server (2:1.19.2-1+deb9u2) stretch-security; urgency=high

  * Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
  * dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
    (CVE-2017-12177)
  * Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
  * Xi: integer overflow and unvalidated length in
    (S)ProcXIBarrierReleasePointer (CVE-2017-12179)
  * Unvalidated lengths in
    - XFree86-VidModeExtension (CVE-2017-12180)
    - XFree86-DGA (CVE-2017-12181)
    - XFree86-DRI (CVE-2017-12182)
    - XFIXES (CVE-2017-12183)
    - XINERAMA (CVE-2017-12184
    - MIT-SCREEN-SAVER (CVE-2017-12185
    - X-Resource (CVE-2017-12186
    - RENDER (CVE-2017-12187)
  * os: Make sure big requests have sufficient length.
  * Xext/shm: Validate shmseg resource id (CVE-2017-13721)
  * xkb: Handle xkb formated string output safely (CVE-2017-13723)
  * xkb: Escape non-printable characters correctly.
  * render: Fix out of boundary heap access

 -- Julien Cristau <email address hidden>  Sat, 14 Oct 2017 13:36:12 +0200

2:1.19.5-1

Superseded in buster-release on 2018-06-11

Superseded in sid-release on 2019-01-19

xorg-server (2:1.19.5-1) unstable; urgency=high

  [ Emilio Pozuelo Monfort ]
  * rules: Try to simplify a bit flags handling and move them
    to rules.flags.
  * rules: Remove --disable-silent-rules, dh passes that for us.

  [ Andreas Boll ]
  * New upstream release.
    - CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179,
    - CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183,
    - CVE-2017-12184, CVE-2017-12185, CVE-2017-12186, CVE-2017-12187

 -- Julien Cristau <email address hidden>  Fri, 13 Oct 2017 11:28:05 +0200

2:1.19.4-1

Superseded in sid-release on 2017-10-17

xorg-server (2:1.19.4-1) unstable; urgency=medium

  [ Sven Joachim ]
  * xvfb-run: Do not redirect stderr to stdout when running the program
    (Closes: #868876, LP: #1059947).

  [ Timo Aaltonen ]
  * New upstream release. (Closes: #855206, #857983, #860886)
    - CVE-2017-13721, CVE-2017-13723
  * rules: Drop dh_strip override, dbgsym transition is done
    (Closes: #876690).
  * signing-key.asc: Update Adam Jackson's key.

  [ Julien Cristau ]
  * Restore definition of DEB_HOST_ARCH_OS in debian/rules, lost in dh
    conversion (2:1.19.1-1).  Thanks, Helmut Grohne!

 -- Timo Aaltonen <email address hidden>  Tue, 10 Oct 2017 00:33:18 +0300

2:1.16.4-1+deb8u1

Superseded in jessie-release on 2017-12-09

xorg-server (2:1.16.4-1+deb8u1) jessie-security; urgency=medium

  * CVE-2017-10971 CVE-2017-10972

 -- Moritz Mühlenhoff <email address hidden>  Thu, 06 Jul 2017 22:34:31 +0200

2:1.19.2-1+deb9u1

Superseded in stretch-release on 2017-12-09

Superseded in buster-release on 2017-12-14

Superseded in sid-release on 2017-12-09

xorg-server (2:1.19.2-1+deb9u1) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * CVE-2017-10971: stack buffer overflow in X Event structures handling
    (Closes: #867492)
  * CVE-2017-10972: information leak due to an uninitialized stack area when
    swapping endianess.
    (Closes: #867492)

 -- Salvatore Bonaccorso <email address hidden>  Fri, 07 Jul 2017 07:09:57 +0200

2:1.19.3-2

Superseded in buster-release on 2017-12-05

Superseded in sid-release on 2017-12-05

xorg-server (2:1.19.3-2) unstable; urgency=high

  * CVE-2017-10972: information leak out of the X server due to an
    uninitialized stack area when swapping:
    - Xi: Zero target buffer in SProcXSendExtensionEvent
  * CVE-2017-10971: stack overflow due to missing GenericEvent handling in
    XSendEvent:
    - dix: Disallow GenericEvent in SendEvent request
    - Xi: Verify all events in ProcXSendExtensionEvent
    - Xi: Do not try to swap GenericEvent
  * With both those fixes, this closes: #867492

 -- Julien Cristau <email address hidden>  Fri, 07 Jul 2017 07:31:11 +0200

2:1.19.3-1

Superseded in sid-release on 2017-08-28

xorg-server (2:1.19.3-1) unstable; urgency=medium

  * New upstream release.

 -- Emilio Pozuelo Monfort <email address hidden>  Wed, 15 Mar 2017 20:53:42 +0100

2:1.19.2-1

Superseded in buster-release on 2017-07-22

Superseded in sid-release on 2017-07-22

Superseded in stretch-release on 2017-07-22

Superseded in sid-release on 2017-03-16

xorg-server (2:1.19.2-1) unstable; urgency=medium

  [ Andreas Boll ]
  * xserver-xorg-core.bug.script: Change udevadm path from /sbin to /bin
    (Closes: #852584).

  [ Emilio Pozuelo Monfort ]
  * New upstream stable release.
    - CVE-2017-2624: Timing attack against MIT cookie. Closes: #856398.
  * control: Build-depend on libbsd-dev everywhere, needed for
    arc4random_buf for the above fix.

 -- Emilio Pozuelo Monfort <email address hidden>  Fri, 03 Mar 2017 15:41:15 +0100

2:1.19.1-4

Superseded in stretch-release on 2017-03-11

Superseded in sid-release on 2019-06-04

xorg-server (2:1.19.1-4) unstable; urgency=medium

  * rules: Only set the suid bit on Xorg.wrap when building arch:any
    packages. Thanks Julien Cristau.

 -- Emilio Pozuelo Monfort <email address hidden>  Fri, 20 Jan 2017 00:22:09 +0100

2:1.19.1-3

Superseded in sid-release on 2017-01-20

xorg-server (2:1.19.1-3) unstable; urgency=medium

  * rules: Fix setting suid bit on Xorg.wrap.
  * rules: Don't ignore errors when setting the suid bit.

 -- Emilio Pozuelo Monfort <email address hidden>  Thu, 19 Jan 2017 19:14:06 +0100

Debian
xorg-server package

Change log for xorg-server package in Debian

Debianxorg-server package

Change log for xorg-server package in Debian

Debian
xorg-server package